[luau] News - June 2002 Netcraft Web Server Survey

Warren Togami warren at togami.com
Mon Jul 1 02:55:01 PDT 2002 

Wow.  Sharp increase of over 2 million new sites running Apache in June,
while Microsoft IIS dropped by about 700k.

This report also has another reminder to patch your Apache.  If you haven't
updated your Apache within the past week, you may be vulnerable to a remote
exploit.

On a related note, BSD users, be sure to patch your OpenSSH too.  Most BSD
versions are vulnerable to another exploit, even OpenBSD.  This is the first
remote exploit of OpenBSD default install in 6 years.  Most Linux
distributions did not have the vulnerable part of the OpenSSH exploit
compiled or enabled by default, but it wouldn't hurt to upgrade your OpenSSH
too.

----- Original Message -----
From: "Mike Prettejohn" <mhp at netcraft.co.uk>
To: <warren at togami.com>
Sent: Monday, July 01, 2002 1:16 AM
Subject: June 2002 Netcraft Web Server Survey

             The June 2002 Netcraft Web Server Survey is out;


                     http://www.netcraft.com/survey/


                               Top Developers

            Developer May 2002 Percent June 2002 Percent Change
            Apache    21120388   56.21  23154909   59.67   3.46
            Microsoft 11902821   31.68  11239613   28.96  -2.72
            Zeus        849089    2.26    799173    2.06  -0.20
            iPlanet     824245    2.19    687004    1.77  -0.42

                              Active Sites

            Developer May 2002 Percent June 2002 Percent Change
            Apache    10411000   65.11  10964734   64.42  -0.69
            Microsoft  4121697   25.78   4243719   24.93  -0.85
            iPlanet     247051    1.55    281681    1.66   0.11
            Zeus        214498    1.34    227857    1.34   0.00




  Around the Net


   Web more vulnerable to attack now than at any time previously.

   The publication of serious vulnerabilities in Microsoft-IIS and Apache
   over the last three weeks has created a situation where a majority of
   internet sites are likely to be accessible to remote exploit. On 11th
   June, Microsoft released a trio of advisories, the most serious of
   which referred to a [2]HTR buffer overflow that could be used to
   remotely compromise machines running Microsoft-IIS.

   Although Netcraft can not explicitly test for the vulnerability
   without prior permission from the sites, around half of the
   Microsoft-IIS sites on the internet have .[3]htr mapping enabled,
   which indicates that the site is likely to be vulnerable to the
   attack, and indeed that some number will already be under the control
   of an external attacker.

   On the 17th June it was [4]reported that many versions of the Apache
   web server were vulnerable to a buffer overflow through flawed
   functionality affecting its "Chunked Encoding" mechanism. If
   exploited, this could lead to a remote system compromise and exploits
   are already known to have been been developed for Windows, FreeBSD and
   OpenBSD. There is an active debate on whether exploits are possible
   for Linux and Solaris.

   Apache administrators have reacted quite quickly to the problem, and
   within a week of first publication, well over 6 million sites have
   been upgraded to Apache/1.3.26, issued by the Apache project in
   response to the problem. However, this still leaves around 14 Million
   potentially vulnerable Apache sites.

   With over half of the internet's web servers potentially vulnerable,
   conditions are ripe for an epidemic of attacks against both
   Microsoft-IIS and Apache based sites, and the first [5]worm,
   targeting sites running Apache on FreeBSD, has been spotted this
   weekend.

   Although potentially very disruptive, worms have a positive aspect, in
   that they draw the administrators attention to vulnerable servers, and
   once patched the server is usually no longer available as a platform
   for more insidious activity. Last year, immediately prior to the Code
   Red worm, Netcraft was finding that around 1 in six ecommerce sites
   running Microsoft-IIS taking a security test from Netcraft for the
   first time had already been successfully compromised, and had a
   backdoor giving an external attacker control over the machine. The
   clear up from Code Red had the positive effect of flushing the
   majority of these backdoors out of the internet.

   Additionally, Microsoft has yesterday announced [6]details of some
   severe vulnerabilities in its Commerce Server software which give
   remote attackers the ability to execute arbitrary code on the server.
   There are around 36,000 sites using Commerce Server [or Site Server,
   its predecessor] including a significant number of ecommerce sites and
   banks.

   It is noteworthy that the vulnerabilities are equally applicable to
   SSL sites, and that in particular, most intrusion detection (IDS)
   facilities will not flag attacks implemented over SSL because the
   traffic is encrypted. This can provide a false sense of confidence to
   administrators, and, symmetrically, a suitable means of a stealthy
   attack.

   Everyone is encouraged to test their networks for vulnerabilities;
   details on Netcraft's own security testing services are available
   [1]here.




  References

  1. http://www.netcraft.com/security/
  2.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/ms02-028.asp
  3. http://www.netcraft.com/security/public-advisories/htr.html
  4. http://httpd.apache.org/info/security_bulletin_20020620.txt
  5. http://dammit.lt/apache-worm
  6.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-033.asp



Internet Research from Netcraft.

Netcraft does commercial internet research projects. These include
custom cuts on the Web Server Survey data, hosting industry analysis,
corporate use of internet technology and bespoke projects. All of the data
is gathered through network exploration, not teleresearch.

sales at netcraft.com


Network Security Testing from Netcraft.

Netcraft provides automated network security testing of customer networks
and consultancy audits of ecommerce sites, Clients include IBM,
Hewlett Packard, Deloitte & Touche, Energis, Britannic Asset Management,
Guardian Royal Exchange, Lloyds of London, Laura Ashley, etc.

Details at http://www.netcraft.com/security/


To unsubscribe from the Netcraft Web Server Survey Announcements list
send the message

unsubscribe webserver-survey

to majordomo at netcraft.com

To resubscribe send the message

subscribe webserver-survey



Mike
--
Mike Prettejohn
mhp@@netcraft.com  Phone +44 1225 447500  Fax +44 1225 448600
Netcraft  Rockfield House  Granville Road Bath BA1 9BQ  England

More information about the LUAU mailing list